> I've been using pf for years and really like it. I accidentally discovered > some undesirable behavior from the rule parser that caused some rules to be > skipped. This has happened to me twice and there was much hair pulling. > > The short version is rules starting with # but ending in \ get treated as a > multi-line comment instead of a single-line comment and it has the risk of > silently ignoring a wanted rule immediately below. This does not match > the behavior I'd expect, for example a line starting with # is entirely > ignored in /bin/sh: > > # echo this is a comment \ > echo this is not a comment \ > or is it? > > # sh test.sh > this is not a comment or is it? > > > But in pf.conf:
pf is not sh. it isn't cpp either. nor is it m4. > I try to keep my firewall rules less than 80 chars in case I need to edit > them on a dumb terminal. Sometimes I end up duplicating a continued line to > make changes to an alternate copy and comment out the original, but if the > newly > commented out line ends in a backslash, my intended replacement is ignored. > I think pfctl should act like sh and ignore a line entirely if it begins with > a comment. Thanks for your consideration. Unfortunately, it is too late to make such a change in the parser. That ship has sailed.
